Archive for September 10th, 2012

Earlier this year, a new breed of Remote Access Tool (RAT) called Plugx (also known as Korplug) surfaced in the wild. PlugX, reportedly used on limited targeted attacks, is an example of custom-made RATs developed specifically for such attacks.

The idea behind using this new tool is simple: less recognition and more elusiveness from security researchers. However, this does not mean that this attack is new. Our monitoring reveals that PlugX is part of a campaign that has been around since (at least) February 2008.

The said campaign used the Poison Ivy RAT and was reported to target specific users in Japan, China, and Taiwan. This campaign was also part of a large, concerted attack as documented earlier this year. True to its origins, we have observed that PlugX was distributed mainly to government-related organizations and a specific corporation in Japan.

Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear phishing emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office. We’ve also encountered an instance of PlugX aimed at a South Korean Internet company and a U.S. engineering firm.